search

NLnetLabs / unbound

Unbound is a validating, recursive, and caching DNS resolver.
https://nlnetlabs.nl/unbound
BSD 3-Clause "New" or "Revised" License
3.03k stars 347 forks source link

val_nsec3_nods_badsig test fails with 1.16.0 #690

Open heirecka opened 2 years ago

heirecka commented 2 years ago

Describe the bug val_nsec3_nods_badsig passed with 1.15.0 but fails here with 1.16.0.

To reproduce Steps to reproduce the behavior:

  1. ./configure ... && make && make check

Expected behavior Test passes

System:

Configure line: --build=x86_64-pc-linux-gnu --host=x86_64-pc-linux-gnu --prefix=/usr/x86_64-pc-linux-gnu --bindir=/usr/x86_64-pc-linux-gnu/bin --sbindir=/usr/x86_64-pc-linux-gnu/bin --libdir=/usr/x86_64-pc-linux-gnu/lib --datadir=/usr/share --datarootdir=/usr/share --docdir=/usr/share/doc/unbound-1.16.0 --infodir=/usr/share/info --mandir=/usr/share/man --sysconfdir=/etc --localstatedir=/var/lib --disable-dependency-tracking --disable-silent-rules --enable-fast-install --enable-dsa --enable-ecdsa --enable-gost --enable-subnet --disable-flto --disable-ipset --disable-static --with-libbsd --with-libevent=/usr/x86_64-pc-linux-gnu --with-libexpat=/usr/x86_64-pc-linux-gnu --with-pidfile=/run/unbound.pid --with-ssl=/usr/x86_64-pc-linux-gnu --disable-debug --disable-dnstap --enable-systemd --with-libnghttp2 --with-pthreads --without-libunbound-only --without-pythonmodule --without-pyunbound Linked libs: libevent 2.1.12-stable (it uses epoll), OpenSSL 1.1.1o 3 May 2022 Linked modules: dns64 subnetcache respip validator iterator


**Additional information**

End of the output from running the test (apparently github has a limit of 65536 characters, but I'll attach the full output):

[1654333500] unbound[1028570:0] debug: query took 0.000000 sec [1654333500] unbound[1028570:0] info: mesh_run: end 0 recursion states (0 with reply, 0 detached), 0 waiting replies, 1 recursion replies sent, 0 replies dropped, 0 states jostled out [1654333500] unbound[1028570:0] info: average recursion processing time 0.000000 sec [1654333500] unbound[1028570:0] info: histogram of recursion processing times [1654333500] unbound[1028570:0] info: [25%]=0 median[50%]=0 [75%]=0 [1654333500] unbound[1028570:0] info: lower(secs) upper(secs) recursions [1654333500] unbound[1028570:0] info: 0.000000 0.000001 1 [1654333500] unbound[1028570:0] debug: cache memory msg=67620 rrset=69922 infra=7808 val=68228 subnet=74504 [1654333500] unbound[1028570:0] info: testbound: end of event stage [1654333500] unbound[1028570:0] debug: comparepkt: [1654333500] unbound[1028570:0] debug: bad EDE INFO-CODE. Expected: 7, and got: 9

[1654333500] unbound[1028570:0] info: testbound: do STEP 10 CHECK_ANSWER [1654333500] unbound[1028570:0] fatal error: testbound: not matched ./testdata/val_nsec3_nods_badsig.rpl failed make: *** [Makefile:347: test] Error 1

heirecka commented 2 years ago

Hmm, apparently attaching doesn't work either, but here's a link: https://gist.github.com/heirecka/e3ddbc1640aca3de52ff391703c7aa91

TCY16 commented 2 years ago

Hi @heirecka,

we've looked into this a little bit, but we can't reproduce it on our systems. The error you're getting is introduced in 1.16.0 as this added EDE support. The error you see from the unit test is solely due to the EDE code, the functionalities of Unbound are unaffected. Moreover, EDE 9 (DNSSEC Bogus) is a semantically correct response, although EDE 7 (DNSKEY Missing) is more specific, so it's still fine to run this version either way.

We'll try to dig deeper into this, in the meantime, can you specify what OS you're running on and what steps you took for us to reproduce?